Inside Sourcefire's Vulnerability Research Team

In many IT security shops, administrators rely on open-source tools to keep up with the malware bad guys continue to toss their way. One industry favorite is Sourcefire, parent of the Snort IDS tool and ClamAV.

Matt Watchinski, senior director of Sourcefire's vulnerability research team (VRT), gave CSO a behind-the-scenes look at what goes on in the vulnerability research team and how the most recent research paints a concerning picture of evolving malware and the applications that fall into the crosshairs.

CSO: Let's start with a description of what the vulnerability research team (VRT) does.

The Sourcefire VRT is a group of network security experts working around the clock to discover, assess and respond to the latest trends in hacking activities, intrusion attempts, malware and vulnerabilities. Some of the most renowned security professionals in the industry, including the ClamAV Team and authors of several standard security reference books, are members of Sourcefire VRT.

The team is supported by the vast resources of the open source Snort and ClamAV communities, making it the largest group dedicated to advances in the network security industry. The VRT develops and maintains the official rule set of Snort.org. Each rule is developed and tested using the same rigorous standards VRT uses for Sourcefire customers. The VRT also maintains shared object rules that are distributed for many platforms in binary format.

Describe the malware and vulnerabilities the team has uncovered in recent months. Anything different about the newest research?

Watchinski: As an open-source vendor, we're bringing in 4 gigs of malicious binary a day. From ClamAV logs alone we see 30,000 pieces of malware a day, 95 percent of which is traditional, the rest exploitable. We continue to see a lot of the big malware families like Zeus and the Rustock botnet.

The bad guys change their stuff pretty quickly on a daily basis. We process 50-60 samples a day that show that. Our challenge is to keep up with our own updates in real time.

ClamAV is something Sourcefire acquired a few years ago. What can you discuss regarding the integration of ClamAV into the wider Sourcefire arsenal?

Watchinski: We recently announced a partnership to deliver a free, Windows-based version of ClamAV that uses Immunet's Cloud-based Collective Immunity technology, linking together a user's network of friends to identify new threats in real-time, providing instant protection across the product's user-base. The beauty of this is that the cloud helps everyone process data quickly. Users don't have to do updates on their box and don't have to worry about uploading signatures. Updates happen in real time.

You mentioned earlier that you're finding 30-40 interesting flaws a day. What can you tell us about them?

Watchinski: An Opera flaw came in last week that looks exploitable with remote code. We're verifying that. We've also seen some targeted .pdf files over the last week or two. It was a multi-staged attack that went to number of specific people in a couple organisations, specifically targeting what those people do.

Watchinski: We're constantly looking at Adobe. The main thing we see is a lot of evasive capabilities being worked into attack kits. Malware is made to escape detection. It's made more difficult to analyse. We'll see a lot more of that; more complex shell code. Adobe is a big target for this stuff. It's tough for companies to determine what shell code is doing and what kind of data is being stolen.

How large is your team and how is it set up?

Watchinski: VRT has three teams, including the ClamAV team, the Snort team and a department of information that manages all the data coming in from the open source community. A lot of people in the community communicate with us over Twitter. They also use the Snort.org forums and mailing lists and developer lists. We get back to them and share our findings, usually on a one-on-one basis. They send us stuff, we take it apart to see if it's just a strange network anomaly or a real threat. All told we have 20 employees in VRT.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.